Smart Online Order for Clover <= 1.6.0 - Missing Authorization
Description
The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.6.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.6.0What Changed in the Fix
Changes introduced in v1.6.1
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-42745 (Smart Online Order for Clover) ## 1. Vulnerability Summary The **Smart Online Order for Clover** plugin for WordPress (versions <= 1.6.0) is vulnerable to **Missing Authorization**. Several REST API endpoints and administrative functions lack proper cap…
Show full research plan
Exploitation Research Plan: CVE-2026-42745 (Smart Online Order for Clover)
1. Vulnerability Summary
The Smart Online Order for Clover plugin for WordPress (versions <= 1.6.0) is vulnerable to Missing Authorization. Several REST API endpoints and administrative functions lack proper capability checks (current_user_can). Specifically, the plugin's REST API, defined in includes/moo-OnlineOrders-Restapi.php, registers multiple routes with permission_callback set to __return_true, making them accessible to unauthenticated attackers. This allows unauthorized modification of product visibility, stock status, and potentially plugin settings.
2. Attack Vector Analysis
- Endpoint:
/wp-json/moo-clover/v1/sync/update_item(inferred fromSyncRoutesregistration) oradmin-ajax.php. - Primary Target: Product status modification (Hiding items, marking as Out of Stock).
- Authentication: None (Unauthenticated).
- Preconditions: The plugin must be active and connected to a Clover merchant account (to have items in the database).
- Payload: JSON or POST parameters containing item UUIDs and the desired status.
3. Code Flow
- Entry Point: A request is made to the REST API namespace
moo-clover/v1. - Registration: In
includes/moo-OnlineOrders-Restapi.php, routes are
Summary
The Smart Online Order for Clover plugin for WordPress (up to 1.6.0) is vulnerable to unauthorized access because it fails to implement capability checks on several REST API endpoints. This allows unauthenticated attackers to perform unauthorized actions, such as modifying product visibility, synchronization settings, and stock status, by accessing endpoints where the permission callback is incorrectly set to always return true.
Vulnerable Code
// includes/moo-OnlineOrders-Restapi.php public function register_routes() { //register v2 routes $this->syncRoutes->register_routes(); $this->dashRoutes->register_routes(); $this->customersRoutes->register_routes(); $this->checkoutRoutes->register_routes(); //get categories route register_rest_route( $this->namespace, '/categories', array( array( 'methods' => 'GET', 'callback' => array( $this, 'getCategories' ), 'permission_callback' => '__return_true' ) ) ); //get items per category route register_rest_route( $this->namespace, '/categories/(?P<cat_id>[a-zA-Z0-9-]+)/items', array( array( 'methods' => 'GET', 'callback' => array( $this, 'getItemsPerCategory' ), 'permission_callback' => '__return_true' ) ) );
Security Fix
@@ -194,7 +194,7 @@ array( 'methods' => 'GET', 'callback' => array( $this, 'getCategories' ), - 'permission_callback' => '__return_true' + 'permission_callback' => function() { return current_user_can( 'manage_options' ); } ) ) ); @@ -203,7 +203,7 @@ array( 'methods' => 'GET', 'callback' => array( $this, 'getItemsPerCategory' ), - 'permission_callback' => '__return_true' + 'permission_callback' => function() { return current_user_can( 'manage_options' ); } ) ) );
Exploit Outline
An unauthenticated attacker can target sensitive REST API endpoints under the '/wp-json/moo-clover/v1/' namespace. By identifying endpoints registered within classes like SyncRoutes or DashboardRoutes (e.g., '/sync/update_item'), an attacker can send a POST request containing specific item UUIDs and desired status values. Because these endpoints use '__return_true' for their permission_callback, the plugin processes the request without verifying the sender's identity or permissions, allowing for unauthorized modifications to product visibility and store settings.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.